Turla Linked to One of the Earliest Cyberespionage Operations

Researchers at Kaspersky Lab and King’s College London have identified a link between the Russian-speaking threat actor Turla and Moonlight Maze, one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.

In around 1996, a threat group believed to be located in Russia had started spying on organizations in the United States, including the Pentagon, the Department of Energy and NASA. The actor had stolen vast amounts of sensitive information from universities, military and research organizations. The activities of the group, dubbed Moonlight Maze, were first made public in 1999 and detailed last year at Kaspersky’s SAS conference by Thomas Rid of King's College London.

Experts have dug further into Moonlight Maze’s activities and at this year’s SAS conference they presented evidence linking the threat actor to Turla. If Turla does in fact turn out to be an evolution of Moonlight Maze, that would make it one of the earliest and longest cyber espionage operations, along with the NSA’s Equation Group, which is also believed to have been active since the mid ‘90s.

Turla is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig). The threat actor has been linked to the Agent.BTZ malware, which indicates that Turla may have been active since as early as 2006.

Kaspersky and King’s College London researchers found precious information after learning of David Hedges, a now-retired administrator who got to watch Moonlight Maze in action when one of his servers was compromised by the threat group back in 1998. Hedges had allowed the attackers to use his server in order to help the Metropolitan Police in London and the FBI track the team’s activities.

Hedges still had the old server, which recorded data between 1998 and 1999, allowing the researchers to analyze the tools used at the time by Moonlight Maze.

The analysis showed that the attackers compiled most of their tools on UNIX operating systems such as Solaris and IRIX. One of the third-party tools they used was LOKI2, an open-source backdoor released in 1996.

LOKI2 has provided a link to Penquin Turla, a Linux backdoor identified by Kaspersky Lab in 2014. Penquin Turla’s code was compiled for Linux kernel versions released in 1999, and the malware was based on LOKI2, which had been designed for covert data exfiltration.

Researchers believe the Penquin Turla codebase was primarily developed between 1999 and 2004, but the malware was also spotted in the 2011 attack on Swiss defense firm RUAG, and a new sample was uploaded to the VirusTotal service in March 2017. The experts’ theory is that the hackers dusted off the old code and reused it in attacks aimed at highly secure entities whose defenses may have been more difficult to breach using the group’s typical Windows toolset.

While the use of LOKI2 source code and other similarities do provide a link between Turla and Moonlight Maze, more evidence is needed before researchers can say with certainty that the former is an evolution of the latter.

Further evidence may be found in data collected from a campaign dubbed Storm Cloud. The Wall Street Journal reported in 2001 that this operation had also involved LOKI2, but researchers currently have little information on Storm Cloud.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.